For as long as I can remember, retailers have recognized the importance of segmentation. The perils of mixing transactional data with other types of network traffic are significant. Yet, many retailers have found that a lack of attention in this area results in the compromise of transactional or Personally Identifiable Information (PII).
The challenge becomes exponentially more complex as the use of technology expands:
The long-predicted explosion of the Internet of Things (IoT) devices is finally here. As many businesses respond to unpredictable business circumstances, it has become increasingly important that they have near real-time operational data on their stores and distribution centers. What is the current occupancy of my store? Are my chillers, freezers, and hot tables working properly? Where are my associates and customers? What is my current inventory-on-hand (and what’s on the inbound truck, and when will it be here)? These questions can all be answered using IoT sensors. It is worth noting though that IoT sensors are either limited, or single-function devices, and therefore are not always able to defend themselves. If left unprotected, these devices can present a tempting attack surface for threat actors.
Point of Sale may not always be a static location. We are seeing more retailers shun the traditional fixed point of sale and adopt mobile devices. In some cases, the POS may still be at a lane or cash wrap, but it may also be used for line busting, curbside pickup, home delivery, and for omnichannel returns. These additional use cases shift the emphasis from dedicated payment terminals that communicate directly with a payment processor, to multifunction devices sitting on the wireless network.
Guest wireless is now table stakes – customers expect to be able to send and receive text and email, access their shopping lists, or showroom their impending purchase to ensure they are getting the best price. A robust wireless network will not only be an expectation going forward but a necessity to support associate efficiency and customer needs. With the advent of 5G networks, any communication that happens in the store via a mobile device needs to happen over the store wireless network, because 5G signals are unlikely to penetrate the structure of the building. Voice and data will cease when customers enter the store unless the device can seamlessly roam onto the store network. That network will need the resilience and capacity to handle that traffic. Customers who cannot continue their conversations or access their data while in the store are likely to “vote with their feet” and shop elsewhere. In much the same way as guests now judge hotels by how fast and reliable the internet service is in their rooms, connectivity will be paramount for consumers and guests alike.
The inextricable move to the cloud has accelerated recently for multiple reasons – a need to
- reduce the physical IT footprint in the store
- stand up and configure new or pop-up stores quickly
- capitalize on the elastic capacity that cloud processing provides for busy periods
- leverage Software as a Service offering for business systems such as supply chain and customer relationship management.
This shift to public, private, and hybrid cloud can present new complexities and create a reliance on external parties, resulting in limited visibility and management to the retailer.
Many systems that are considered non-essential to the core retail mission (such as mechanical maintenance and physical security) are increasingly being outsourced. These moves result in third-party managed (or unmanaged) devices and sensors residing on the store or distribution center network.
These changes in the day-to-day operations of retailers can significantly increase the attack surface, and consequently the risk profile, for the retailer if not appropriately mitigated. The key is having a well-planned and executed segmentation and access control policy to ensure that devices and users can only access the systems and data appropriate for their role. Traditionally, this has been a somewhat manual process, which may be perfectly feasible for smaller organizations, but much more complex for larger retailers.
In part 2 of this blog, I will talk about methods of automating segmentation to ensure the default state of the network is a secure one and that security doesn’t become the second fiddle to innovation and business agility.
This blog post was originally written by Mark Scanlan for Cisco Blogs.